Lots of people now have devices in their homes such as video cameras, baby monitors, music systems and photo or document storage that can be accessed online. It can be very useful to access these devices from outside your home over the internet but you need to make sure that you aren’t at risk of revealing your personal details to other people.
We’re continuing to work with manufacturers about what they can do, but there are some simple security steps you can take too. If you don’t, you could find your personal information easily accessible by popular search engines, casual browsing or more determined attackers who could then use your equipment to mount attacks on others or take your personal data to commit identity fraud.
What actions should I take?
If you are using these devices you should consider the following:
Research the security of a product before buying
Electronic devices are no different to other products you purchase in that you should conduct some research before buying about which one is right for your needs. Look for reputable reviews paying particular attention to whether or not any guarantees are given by the manufacturer about product updates in the future if a security issue is identified.
Is your router secure?
If you’ve installed a device in your home and connected it to your network, the default settings of your router might be exposing it to the internet. It may therefore be visible to other online users, potentially including attackers who may use it to access your network and the information stored there.
If you want to access that device from outside your home then it needs to be accessible from the internet, but whilst some devices require some form of password protection, others either don’t or they use a default (and potentially discoverable) password. If there is no protection in place, your personal information could even become available on popular search engines.
Change passwords and usernames from default
If you only take one security step when getting any new device, make sure you set a strong password – one that should not be known by anyone else or be easy to guess. Computers can also attempt to crack many different passwords automatically so a strong password also needs to be as long as possible, and should contain upper and lowercase letters, numbers and special characters (eg $ # @ and ]).
When you begin using your device you may be given a simple default password that you’ll need to enter to get it working. This might be blank or something as simple as ‘password’ or ‘123456’. Even if it isn’t, the default passwords many manufacturers use are freely available online (one common source being operating manuals, which can be downloaded from manufacturers’ websites) so make sure you change them. If the device doesn’t have a password, then you should set one up.
Remember, if the password is easy to guess or known to attackers they will be able to gain access to the device in the same way that you do.
You can get more information about choosing better passwords at Get Safe Online and Cyber Streetwise. You should also use a different password for each account and device because if one is obtained by an attacker the others will still be safe.
Known security vulnerabilities
Over time, problems can be found in the software running on these devices which can only be fixed by manually installing the updates provided by the manufacturer. Check the manufacturers’ website to see if there have been any updates that address known security vulnerabilities and install these updates in a timely manner. This includes your router. But be warned, updating the software of a device can overwrite the data or settings so check the manual and make sure you have a backup of your data and/or configuration settings.
Check all the available security settings
Don’t just plug your device in and skip as much of the set-up process as possible. Take time to read the manual and understand the options available to keep your information secure.
You may think that typing in an obscure web address or only using a smart phone app to access your device provides some level of protection. However, this will not protect you from the remote software and websites that attackers often use to scan the internet for vulnerable devices. In some cases, insecure cameras can be identified using nothing more than an internet search engine.
If you have a device in your home and have no intention of accessing the information over the internet (eg you might only want to view a baby monitor from the living room), then the best thing to do is to go into the device’s security settings and see if you can turn the remote viewing option off. Selecting this option will not normally stop you from viewing the footage using your home Wi-Fi network, however you should read the manufacturer’s instructions to see what controls are available on your device.
As a last resort, you can always cover the lens if you don’t want to use the camera all of the time but this would have no effect on the microphone, if there is one.
If there’s a two-step identification option – use it
Two-step authentication offers you an additional layer of security when logging in to an online service.
Whilst few devices will offer this service, the website you use to view the data might. It often works by asking you an additional security question, or by sending a code to your mobile phone or email account that you must enter during the login process. Sometimes you can have a separate device which generates these codes.
Using two-step or two-factor authentication means that if your username and password are compromised, a criminal cannot gain access to your account data without also compromising your mobile phone or code generator. Therefore if you have this option turned on, your information has a much greater chance of remaining secure.